also sprach Jeroen van Wolffelaar <jeroen@wolffelaar.nl> [2005.02.07.0022 +0100]:
> however, if you're not THAT paranoid, I think you can do with
> locking down backup account, checking all files writeable by
> backup (all files with recent ctime?), and places like /var/tmp,
> /tmp, etc.
Once an attacker is on the system, you cannot be sure anymore that
you can track his/her actions down. Sophisticated root kits exist to
cover all (!) traces.
You can put another box in front of the suspect one and check
whether any unexpected traffic flows. Use snort. Do that for an
extended period of time. If you see anything suspicious,
investigate, but don't hesitate.
I would simply reinstall.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!